Re: Multiple 538 and 540 ID's in 2003 server Security Events Log?
- From: "Eric Fitzgerald [MSFT]" <ericf@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 19:04:33 -0700
During every domain logon from a workstation, the domain controller has to
be contacted several times for several reasons:
LDAP
Shares (Netlogon for logon scripts, sysvol for policies)
etc.
Each connection will cause a 540/538 pair.
In Vista we've added share access auditing and RPC auditing so that you can
see precisely what's being accessed. We've also allowed high-volume events
to be turned off individually or in very small groups, so that for instance
you can generate logon events but suppress logoff events, etc.
Best regards,
Eric
--
This information is provided "AS-IS" with no warranty, and confers no
rights.
"Reluctant Sys-Admin" <ReluctantSysAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:06D890FE-CF4D-4151-BFED-80DE714D8EF5@xxxxxxxxxxxxxxxx
I have a 2003 Server domain controller and XP workstations. I am trying to
audit when domain users log on and off the domain for the day.
There seem to be multiple 538(successful logoff) and 540(successful logon)
event ID's in the Security Events Log for each user when they log on.
Both
ID's appear again several times when the user logs off. Sometimes the
ID's
appear a few minutes apart for the same actual log on/off event, which
makes
it hard to tell when the event actually occurred. Is there a better way
to
tell conclusively exactly when a user logs on/off the domain?
Thanks!
.
- Follow-Ups:
- Re: Multiple 538 and 540 ID's in 2003 server Security Events Log?
- From: Steven L Umbach
- Re: Multiple 538 and 540 ID's in 2003 server Security Events Log?
- Prev by Date: Re: Stans-alone root CA or Enterprise root CA
- Next by Date: IPSec Filter
- Previous by thread: Stans-alone root CA or Enterprise root CA
- Next by thread: Re: Multiple 538 and 540 ID's in 2003 server Security Events Log?
- Index(es):
Relevant Pages
|
Loading
